Translation of Press Release of the German Federal
Data Protection Commissioner
regarding Amendments to the Federal Data Protection
Act
by Christopher Kuner
German Original Available at
http://www.bfd.bund.de/Presse/pm20010511.html
Comment
by Christopher Kuner: On Friday, May 11, the upper
chamber of the German Parliament (Bundesrat,
made up of representatives of the federal states) voted to amend the German
Federal Data Protection Act (BDSG). The
law entered into force on May 23. The
following press release gives an overview of major changes brought about by the
new Act. Note that processing already being undertaken must be brought into
compliance with the new Act within three years (for processing within the EU)
or five years (for processing outside the EU to which the Act applies).
Amendments to Federal Data Protection Act now in Force
The new Federal Data Protection Act (BGBl.
I of May 22, 2001, p. 904) entered into force on May 23, 2001.
The Federal Data Protection Commissioner,
Dr. Joachim Jacob, made the following statement:
With these amendments of the Federal Data
Protection Act (BDSG) the provisions of the EU Data Protection Directive
95/46/EC of October 1995 have finally been implemented into national law. The Act contains a number of changes, in
particular with regard to business activities, of which only the most important
can be discussed here.
Thus, there have been numerous expansions
in the general part of the Act, which apply both for the public and the
non-public sector. The provisions of
the BDSG will also apply in the non-public sector for all automatic processing
of personal data; a relation to a data file will then only be necessary in
cases of manual processing (§ 1 para. 2 no. 3 BDSG). The Act also contains the following changes:
- Fixing of the principle of data
avoidance and data minimization (§ 3a BDSG);
- Provisions on the transfer of personal
data abroad, also for the non-public sector (§§ 4b and 4c BDSG, by deletion
of the previous § 17 BDSG);
- Provisions on the duty of notification
and pre-control, §§ 4d and 4e BDSG (with deletion of the previous
§ 32 BDSG); the duty of notification does not apply if a data protection
officer is named, which significantly strengthens the position of data
protection officers. The duties of data
protection officers will also include so-called pre-control of processing which
contains particular risks for personality rights;
- Uniform provisions for data protection
officers, which are now also mandated for the public sector, §§ 4f and 4g
BDSG (with deletion of the previous §§ 36 and 37 BDSG);
- Restrictive provisions for automated
decision-making, § 6a BDSG;
-
Legal conditions for video
surveillance (also by private persons) of publicly-accessible premises,
§ 6 BDSG. This will only be
permitted under particular circumstances under conditions set forth in the Act,
and must be made discernible through special measures and must be weighed
against the protectable interests of the data subject. In addition, the Act contains duties of
purpose limitation, information, and deletion;
-
Legal conditions for the issuance and
the use of mobile personal storage and processing media (smart cards),
§ 6c BDSG, which should lead to more transparency and legal security for
data subjects;
- Provisions on data protection audits,
§ 9a BDSG;
- Improvements of rights of information,
notification, and objection;
- Strengthening of the data protection
authorities, which will also be able to enforce the law without a particular
complaint having been made, § 38 para. 1 BDSG;
-
Expansion of criminal and monetary
penalties, which will also cover substantive violations of the BDSG, §§ 43
and 44 BDSG.
Of particular importance are changes
concerning data processing by the private sector, which will considerably
increase the protection provided to citizens affected:
- Strict application of the principle of
purpose limitation, both for processing for one’s own purposes and for
professional data processors;
- Application of the principle that
processing must be limited to a specific purpose already at the time personal
data are collected;
-
A duty of notification to data
subjects concerning their rights of objection and to the data controller in the
case of data processing for purposes of advertising, marketing or market
research;
- Particular provisions concerning the
collection, processing, and use of sensitive data (information on racial and
ethnic origin, political opinion, religious or philosophical views, membership
of labor unions, health, or sex life);
- Expanded rights of data subjects
regarding listing in address, telephone, sectoral or similar directories.
Data protection in Germany in the interest
of all citizens is significantly increased by the entry into force of the new
BDSG.